Encryption of network traffic relies on the reliable assignment and distribution of keys for which there exists a variety of protocols. The most well-known and used of these protocols are IKE (IETF RFC 2409) and IKEv2 (IETF RFC5996). Both IKE and IKEv2 operate by creating Security Associations (SA) for the establishment of encryption relationships between nodes and the exchange of keys, Security Parameter Index (SPI) for indication of what particular SA to use for decryption of received traffic, and Traffic Selectors (TS) for deciding which SA, if any, in a given node to use when encrypting outgoing traffic. This type of architecture works well for most applications, but is challenged if the exchange of encrypted traffic between nodes is to be based on other characteristics than source and destination IP-addresses and transport-layer ports.
The architecture provided by IKE together with IPsec (IETF RFC 4301) is widely deployed and well understood in the networking industry, where it largely serves as a means of providing encrypted traffic between network-layer endpoints, potentially extending to transport layer ports. This architecture provides for a common transport fabric where encryption capabilities are defined on a basis of per pair of endpoints. IPsec also has extensions that allow for a group of nodes to share a common encryption architecture, and even keys. This is referred to as a Group Domain of Interpretation (IETF RFC 3547). In a GDOI, group keys are defined and are then shared among a group of authenticated nodes for the creation of a larger set (>2) of nodes that share encryption attributes for enablement of secured communication. The SAs defined in GDOI still employ the same style of granularity as previously mentioned in terms of matching traffic to an SA.